# Default 150, 10 000 probably won't hurt with RAM of modern devices
cache-size=10000

# Also listen on IPv6 localhost
listen-address=::1,127.0.0.1

# Attempt to verify DNSSEC
# ln -s /usr/share/dnsmasq/trust-anchors.conf trust-anchors.conf
#                  dnsmasq-base on Ubuntu
dnssec

# Verify that DNSSEC is not stripped. This breaks OpenDNS, but at time
# of writing I don't care about OpenDNS as them not supporting DNSSEC is
# their issue, not my issue.
# https://support.opendns.com/hc/en-us/community/posts/220015487-Implement-DNSSEC
# https://support.opendns.com/hc/en-us/community/posts/220018307-DNSSEC-on-resolver-side
# https://support.opendns.com/hc/en-us/community/posts/220022287-support-for-DNSSEC
dnssec-check-unsigned